bug(20562): allowed_domains are compared case-sensitive if they use g… (#22126)

* bug(20562): allowed_domains are compared case-sensitive if they use glob patterns

* bug(20562): review fixes

builtin/logical/pki/cert_util.go

@@ -659,7 +659,7 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 
 				if data.role.AllowGlobDomains &&
 					strings.Contains(currDomain, "*") &&
-					glob.Glob(currDomain, name) {
+					glob.Glob(strings.ToLower(currDomain), strings.ToLower(name)) {
 					valid = true
 					break
 				}

builtin/logical/pki/cert_util_test.go

@@ -174,6 +174,24 @@ func TestPki_PermitFQDNs(t *testing.T) {
 			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
 			expectedEmails:   []string{},
 		},
+		"case insensitivity subdomain validation": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "SUB.EXAMPLE.COM",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"example.com", "*.Example.com"},
+					AllowGlobDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{"SUB.EXAMPLE.COM"},
+			expectedEmails:   []string{},
+		},
 		"case email as AllowedDomain with bare domains": {
 			input: &inputBundle{
 				apiData: &framework.FieldData{

changelog/22126.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns
+```